Qname Minimization talk
Edit
Qname Minimization @ DNS-OARC
A storify of social media references (mostly twitter) to my recent talk on DNS query name minimization at the 2015 Spring DNS-OARC workshop in Amsterdam, the Netherlands.
- At the recent DNS-OARC workshop in Amsterdam, I spoke about 'DNS query name minimization and authoritative server behavior'. The talk was received well, evidenced by the long line of questions and comments afterwards. The energetic Stéphane Bortzmeyer of AFNIC live tweeted the whole workshop and I've excerpted several of his tweets about my talk below, along with a few others from Sebastian Castro of .NZ Registry Services.
- The entire video of the talk along with the Q&A section can be viewed at: https://www.youtube.com/watch?v=UcAygzNSxlI&t=1h02m36s …
- The slide deck for the talk is below, and also can be downloaded (PDF) from https://indico.dns-oarc.net/event/21/contribution/9/material/slides/0.pdf …
- Stéphane starts his live tweeting ...
- A photo of me taken by my Verisign Labs colleague, Duane Wessels, who was on stage introducing the speakers for the Saturday afternoon portion of the workshop.
- Qname minimisation improves privacy by *not* sending the full query name to the auth. name servers. #OARCworkshop
- Implementation of qname minimisation in a special resolver (in Python). Works for normal domains, fails for Akamai. #OARCworkshop #DNS
- Akamai is broken for ENT (Empty Non Terminals): it sends NXDOMAIN. #OARCworkshop #DNS #previousTweet
- Re-stating here, as I mention in the talk, Akamai has acknowledged the defect and has said that they are working on a plan to fix this in the future.
- http://datatracker.ietf.org/doc/draft-vixie-dnsext-resimprove/ … (section 3) mentioned again. Time to resurrect it at IETF? #OARCworkshop #DNS
- Stéphane here is referring to my mention (see slide #23) of the expired Internet draft by Vixie et. al. on several measures to improve resilience and robustness of DNS resolvers. Section 3 of this draft specifically outlines a better and far more efficient way to perform negative caching that more correctly interprets response code 3 (NXDOMAIN).
- A workaround while Akamai and Cloudflare fix their bugs on Empty Non Terminal handling? No good solution. #OARCworkshop #DNS
- I discuss the possibility of implementing workarounds for the buggy behavior of the CDNs - the brute force method of ignoring NXDOMAIN responses for intermediate qnames exposes nameservers to a class of new denial of service attacks, so probably isn't a good idea.
- Yup, a couple of months after my initial discussion with Cloudflare, they had already deployed a fix. I showed a fixed example run with the IETF website during the talk, but since that was also the time that the IETF website moved to Cloudflare's new DNSSEC enabled platform, I speculated about whether the NXDOMAIN fix happened independently, or whether it was a by-product of Cloudflare's DNSSEC deployment. Both Olafur G of Cloudflare and Bert Hubert of PowerDNS asserted that it isn't really possible to deploy DNSSEC (correctly) without fixing the response behavior at empty non-terminals. I agree.
- Today, with the prevalence of Akamai, 13 % of Alexa Top 1000 fail with qname minimisation. #OARCworkshop #DNS
- Most of the failures are due to Akamai, being one of the most popular CDNs. But there are a number of other CDNs and DNS hosting providers on the list too. See slide 33.
- Qname minimisation increases in some cases the number of queries specially for deep names ( http://ip6.arpa ...) #OARCworkshop #DNS
- See slides 36 through 38 of my presentation, where I show examples where qname minimization results in additional queries, specifically for zones that span names that are multiple labels deep. Particularly stark examples can be seen in the IPv6 reverse DNS tree.
- Great presentation from @shuque about Qname Minimisation. More traffic, more privacy #OARCworkshop
- @secastro More traffic for a cold cache. He did not measure caching effects yet. #OARCworkshop
- This is true. Some additional measurements I proposed to do towards the end of the talk will take into account caching effects, among other things.
- Proof that qname minimisation increase the number of queries: there is a very long queue at the microphone :-) #OARCworkshop
- Funny but perhaps true! My talk resulted in one of the longer queues at the microphone. If I recall correctly, the queue was composed of Bert Hubert (PowerDNS), Warren Kumari (Google), Olafur Gudmundsson (Cloudflare), Ed Lewis (ICANN), Lars Liman (Netnod), Kazunori Fujiwara (Japan Registry Services), Ondrej Sury (CZ.NIC), Cathy Almond (ISC), and someone else who's name I didn't catch.
- "QNAME minimisation may affect the uses of passive DNS for security and data mining” says @shuque #OARCworkshop
- Yes. The way I phrased it is that today authoritative server operators as well as other organizations like DNS-OARC itself (with the DITL project) have traditionally used full query name information for a variety of analytical and security functions. If this information disappears, and we still desire to execute these functions, then this role may have to shift to other actors in the DNS ecosystem, or alternative systems may need to be developed.
- Yes, this is yet another example of the classic privacy-vs-security tradeoff. Increased privacy for the user comes at the expense of more information at the authority servers that may have been used in security analysis functions. Note that the user has not gained privacy from the recursive server operator though, so further privacy may involve dealing with that problem.
- Do not run PowerDNS 2.9 from @PowerDNS_Bert #OARCworkshop
- This was an exhortation from Bert Hubert of PowerDNS at the microphone after my talk. Bert apologized that the last major release of PowerDNS (2.9) messed up handling of empty-non-terminals too. This release is 6 years old and should not be used any more, but sadly it appears to be "the Windows XP of PowerDNS", refusing to die. It is currently believed to be the most widely deployed version of PowerDNS in the field. Bert identified a PowerDNS 2.9 user in my list of failures in the Alexa top 1000 and will reach out and contact them about the issue.
- "Many people do not understand the concept of Empty Non Terminal, they even deny it exists" (Gudmunsson at #OARCworkshop) #DNS
- A mini diatribe by Olafur about the longstanding misunderstanding of Empty Non Terminals in the technical community.
- Breaking: the Knot #DNS resolver (under development) will have query minimization. #OARCworkshop
- This is in reference to Ondrej Sury's comment at the mic that the CZNIC Knot resolver (first release planned by end of year) will implement query name minimization. This is the first resolver implementer that has publicly stated their plans to implement it. Ondrej asked if I'd be available to talk to his colleagues that are implementing this. Later in the week, Marek Vavrusa of CZNIC spoke about Knot at the RIPE70 meeting and I spoke to him afterwards. Their initial implementation only does minimized queries at the DNS root, switching to full query names after seeing a referral, mainly to avoid problems downstream with potentially broken servers (like some CDNs). This is a partial implementation of minimization, but nonetheless a step in the right direction.
- Update (2015-05-21): Marek clarified to me that the Knot resolver stops minimization after encountering the first 'authoritative' answer (not 'referral'), so it stops when processing a name through a zone that is multiple labels deep, or when it encounters an NXDOMAIN response.
- Link to my DNS-OARC qname minimization talk description & slides: #OARCworkshop https://indico.dns-oarc.net/event/21/contribution/9 …